X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-oauth%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Foauth%2FDirectOAuthTAF.java;h=3d863824c581bdd512d4a9e743036e0eed3e18d7;hb=7e966914050e66219689001ff4ab601a49eef0ac;hp=16d726862f7b1c9f1c151f2f477a20817c0ccda1;hpb=c36423577d5b8501af78cc2f8a7db1e43eacdf0d;p=aaf%2Fauthz.git diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java index 16d72686..3d863824 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java @@ -62,164 +62,163 @@ import org.onap.aaf.misc.env.APIException; import aafoauth.v2_0.Introspect; public class DirectOAuthTAF implements HttpTaf { - private PropAccess access; - private DirectIntrospect oaFacade; - private TokenMgr tkMgr; - private final DirectAAFUserPass directUserPass; - private TokenClient altIntrospectClient; - - public DirectOAuthTAF(AuthzEnv env, Question q, DirectIntrospect facade) throws APIException, CadiException { - access = env.access(); - oaFacade = facade; - tkMgr = TokenMgr.getInstance(access,"dbToken","dbIntrospect"); - String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); - TokenClientFactory tcf; - if(alt_url!=null) { - try { - tcf = TokenClientFactory.instance(access); - String[] split = Split.split(',', alt_url); - int timeout = split.length>1?Integer.parseInt(split[1]):3000; - altIntrospectClient = tcf.newClient(split[0], timeout); - altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), - access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); - } catch (GeneralSecurityException | IOException | LocatorException e) { - throw new CadiException(e); - } - } - - directUserPass = new DirectAAFUserPass(env,q); - } - - @Override - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - String value; - String token; - if((value=req.getHeader("Authorization"))!=null && value.startsWith("Bearer ")) { - token = value.substring(7); - } else { - token = null; - } - - if("application/x-www-form-urlencoded".equals(req.getContentType())) { - @SuppressWarnings("unchecked") - Map map = req.getParameterMap(); - String client_id=null,client_secret=null,username=null,password=null; - for(Map.Entry es : map.entrySet()) { - switch(es.getKey()) { - case "client_id": - for(String s : es.getValue()) { - client_id=s; - } - break; - case "client_secret": - for(String s : es.getValue()) { - client_secret=s; - } - break; - case "username": - for(String s : es.getValue()) { - username=s; - } - break; - case "password": - for(String s : es.getValue()) { - password=s; - } - break; - case "token": - if(token!=null) { // Defined as both Bearer and Form Encoded - Error - return new OAuth2HttpTafResp(access, null, "Token Info found as both Bearer Token and Form Info", RESP.FAIL, resp, true); - } - for(String s : es.getValue()) { - token=s; - } - break; - // Ignore others - } - } - - if(client_id==null || client_secret==null) { - return new OAuth2HttpTafResp(access, null, "client_id and client_secret required", RESP.TRY_ANOTHER_TAF, resp, false); - } - - if(token==null) { // No Token to work with, use only Client_ID and Client_Secret - AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); - - if(directUserPass.validate(client_id, Type.PASSWORD, client_secret.getBytes(), trans)) { - // Client_ID is valid - if(username==null) { // Validating just the Client_ID - return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id,client_id),"OAuth client_id authenticated",RESP.IS_AUTHENTICATED,resp,false); - } else { - //TODO - Does a clientID need specific Authorization to pair authentication with user name? At the moment, no. - // username is ok. - if(password!=null) { - if(directUserPass.validate(username, Type.PASSWORD, password.getBytes(), trans)) { - return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id, username),"OAuth username authenticated",RESP.IS_AUTHENTICATED,resp,false); - } else { - return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); - } - } else { // no Password - //TODO Check for Trust Permission, which requires looking up Perms? - return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); - } - } - } else { - return new OAuth2HttpTafResp(access,null,"OAuth client_id " + client_id + " not authenticated ",RESP.FAIL,resp,true); - } - } - } - - // OK, have only a Token to validate - if(token!=null) { - AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); - - try { - Result ri = oaFacade.mappedIntrospect(trans, token); - if(ri.isOK()) { - TokenPerm tp = tkMgr.putIntrospect(ri.value, Hash.hashSHA256(token.getBytes())); - if(tp==null) { - return new OAuth2HttpTafResp(access, null, "TokenPerm persistence failure", RESP.FAIL, resp, false); - } else { - return new OAuth2HttpTafResp(access,new OAuth2Principal(tp,Hash.hashSHA256(token.getBytes())),"Token Authenticated",RESP.IS_AUTHENTICATED,resp,false); - } - } else { - return new OAuth2HttpTafResp(access, null, ri.errorString(), RESP.FAIL, resp, false); - } - } catch (APIException e) { - trans.error().log(e,"Error getting token"); - return new OAuth2HttpTafResp(access, null, "Error getting token: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); - } catch (NoSuchAlgorithmException e) { - return new OAuth2HttpTafResp(access, null, "Error in security algorithm: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); - } - } - return new OAuth2HttpTafResp(access, null, "No OAuth2 Credentials in OAuthForm", RESP.TRY_ANOTHER_TAF, resp, false); - } - - @Override - public Resp revalidate(CachedPrincipal prin, Object state) { - // TODO Auto-generated method stub - return null; - } - - class ServiceTPL implements TokenPermLoader { - private final AuthzTrans trans; - public ServiceTPL(AuthzTrans atrans) { - trans = atrans; - } - - @Override - public org.onap.aaf.cadi.client.Result load(String accessToken, byte[] cred) throws APIException, CadiException, LocatorException { - Result ri = oaFacade.mappedIntrospect(trans, accessToken); - if(ri.notOK()) { - //TODO what should the status mapping be? - return org.onap.aaf.cadi.client.Result.err(ri.status,ri.errorString()); - } - return org.onap.aaf.cadi.client.Result.ok(200,tkMgr.putIntrospect(ri.value, cred)); - } - } - - public DirectAAFUserPass directUserPass() { - return directUserPass; - } + private PropAccess access; + private DirectIntrospect oaFacade; + private TokenMgr tkMgr; + private final DirectAAFUserPass directUserPass; + private TokenClient altIntrospectClient; + + public DirectOAuthTAF(AuthzEnv env, Question q, DirectIntrospect facade) throws APIException, CadiException { + access = env.access(); + oaFacade = facade; + tkMgr = TokenMgr.getInstance(access,"dbToken","dbIntrospect"); + String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); + TokenClientFactory tcf; + if (alt_url!=null) { + try { + tcf = TokenClientFactory.instance(access); + String[] split = Split.split(',', alt_url); + int timeout = split.length>1?Integer.parseInt(split[1]):3000; + altIntrospectClient = tcf.newClient(split[0], timeout); + altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), + access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); + } catch (GeneralSecurityException | IOException | LocatorException e) { + throw new CadiException(e); + } + } + + directUserPass = new DirectAAFUserPass(env,q); + } + + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + String value; + String token; + if ((value=req.getHeader("Authorization"))!=null && value.startsWith("Bearer ")) { + token = value.substring(7); + } else { + token = null; + } + + if ("application/x-www-form-urlencoded".equals(req.getContentType())) { + Map map = req.getParameterMap(); + String client_id=null,client_secret=null,username=null,password=null; + for (Map.Entry es : map.entrySet()) { + switch(es.getKey()) { + case "client_id": + for (String s : es.getValue()) { + client_id=s; + } + break; + case "client_secret": + for (String s : es.getValue()) { + client_secret=s; + } + break; + case "username": + for (String s : es.getValue()) { + username=s; + } + break; + case "password": + for (String s : es.getValue()) { + password=s; + } + break; + case "token": + if (token!=null) { // Defined as both Bearer and Form Encoded - Error + return new OAuth2HttpTafResp(access, null, "Token Info found as both Bearer Token and Form Info", RESP.FAIL, resp, true); + } + for (String s : es.getValue()) { + token=s; + } + break; + // Ignore others + } + } + + if (client_id==null || client_secret==null) { + return new OAuth2HttpTafResp(access, null, "client_id and client_secret required", RESP.TRY_ANOTHER_TAF, resp, false); + } + + if (token==null) { // No Token to work with, use only Client_ID and Client_Secret + AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); + + if (directUserPass.validate(client_id, Type.PASSWORD, client_secret.getBytes(), trans)) { + // Client_ID is valid + if (username==null) { // Validating just the Client_ID + return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id,client_id),"OAuth client_id authenticated",RESP.IS_AUTHENTICATED,resp,false); + } else { + //TODO - Does a clientID need specific Authorization to pair authentication with user name? At the moment, no. + // username is ok. + if (password!=null) { + if (directUserPass.validate(username, Type.PASSWORD, password.getBytes(), trans)) { + return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id, username),"OAuth username authenticated",RESP.IS_AUTHENTICATED,resp,false); + } else { + return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); + } + } else { // no Password + //TODO Check for Trust Permission, which requires looking up Perms? + return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); + } + } + } else { + return new OAuth2HttpTafResp(access,null,"OAuth client_id " + client_id + " not authenticated ",RESP.FAIL,resp,true); + } + } + } + + // OK, have only a Token to validate + if (token!=null) { + AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); + + try { + Result ri = oaFacade.mappedIntrospect(trans, token); + if (ri.isOK()) { + TokenPerm tp = tkMgr.putIntrospect(ri.value, Hash.hashSHA256(token.getBytes())); + if (tp==null) { + return new OAuth2HttpTafResp(access, null, "TokenPerm persistence failure", RESP.FAIL, resp, false); + } else { + return new OAuth2HttpTafResp(access,new OAuth2Principal(tp,Hash.hashSHA256(token.getBytes())),"Token Authenticated",RESP.IS_AUTHENTICATED,resp,false); + } + } else { + return new OAuth2HttpTafResp(access, null, ri.errorString(), RESP.FAIL, resp, false); + } + } catch (APIException e) { + trans.error().log(e,"Error getting token"); + return new OAuth2HttpTafResp(access, null, "Error getting token: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); + } catch (NoSuchAlgorithmException e) { + return new OAuth2HttpTafResp(access, null, "Error in security algorithm: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); + } + } + return new OAuth2HttpTafResp(access, null, "No OAuth2 Credentials in OAuthForm", RESP.TRY_ANOTHER_TAF, resp, false); + } + + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { + // TODO Auto-generated method stub + return null; + } + + class ServiceTPL implements TokenPermLoader { + private final AuthzTrans trans; + public ServiceTPL(AuthzTrans atrans) { + trans = atrans; + } + + @Override + public org.onap.aaf.cadi.client.Result load(String accessToken, byte[] cred) throws APIException, CadiException, LocatorException { + Result ri = oaFacade.mappedIntrospect(trans, accessToken); + if (ri.notOK()) { + //TODO what should the status mapping be? + return org.onap.aaf.cadi.client.Result.err(ri.status,ri.errorString()); + } + return org.onap.aaf.cadi.client.Result.ok(200,tkMgr.putIntrospect(ri.value, cred)); + } + } + + public DirectAAFUserPass directUserPass() { + return directUserPass; + } }